Content starts here Encryption-Based Data Redaction Examples
This page last changed on Feb 21, 2008.

edocs Home > BEA AquaLogic Data Services Platform 3.0/3.2 Documentation > ALDSP 3.2 New Features Documentation

Encryption-Based Data Redaction Examples

This topic provides several examples showing how encryption-based data redaction works when performing common operations.

Example Data Service Functions

The examples in this topic make use of the following data services:

Entity data service CustomerDS - The data service returns information about a customer conforming to the following schema:

CUSTOMER
   SSN: xs:string
   FIRST NAME: xs:string
   LAST NAME: xs:string
   CUSTOMER_SINCE: xs:date

The information is exposed through the public read function getCUSTOMERS(), which returns data similar to the following:

<CUSTOMER>
   <SSN>123-45-6789</SSN>
   <FIRST_NAME>John</FIRST_NAME>
   <LAST_NAME>Smith</LAST_NAME>
   <CUSTOMER_SINCE>2007-10-10</CUSTOMER_SINCE>
</CUSTOMER>

Entity data service OrderDS - The data service returns information about a customer order conforming to the following schema:

ORDER
   ORDER_ID: xs:integer
   CUSTOMER_SSN: xs:string
   DATE: xs:date
   STATUS: xs:string

The information is exposed through the public read function getORDERS(), which returns data similar to the following:

<ORDER>
   <ORDER_ID>1000</ORDER_ID >
   <CUSTOMER_SSN>123-45-6789</CUSTOMER_SSN>
   <DATE>2007-10-10</DATE>
   <STATUS>CLOSED</STATUS>
</ORDER>
<ORDER>
   <ORDER_ID>2000</ORDER_ID >
   <CUSTOMER_SSN>123-45-6789</CUSTOMER_SSN>
   <DATE>2007-11-11</DATE>
   <STATUS>OPEN</STATUS>
</ORDER>

Example Results

Projection of an Encrypted Field

Assuming that encryption-based data redaction has been configured for the SSN field in data service CustomerDS, the direct function call getCUSTOMERS() returns the following:

<CUSTOMER>
   <SSN>sjdlkggdlaklakskjfgk</SSN>
   <FIRST_NAME>John</FIRST_NAME>
   <LAST_NAME>Smith</LAST_NAME>
   <CUSTOMER_SINCE>2007-10-10</CUSTOMER_SINCE>
</CUSTOMER>

Note that the value of the SSN field is encrypted and unique for each distinct SSN.

Predicate Against an Encrypted Field

Assuming that encryption-based data redaction has been configured for the SSN field in data service CustomerDS, the following XQuery query returns ():

for $x in p:getCUSTOMERS()
where $x/SSN eq "123-45-6789"
return $x

This is because a match is attempted between an unencrypted value and the encrypted SSN value.

Outer Join on Encrypted Fields

Consider the following XQuery query that performs an outer join:

for $x in p:getCUSTOMERS()
return
<CUSTOMER>
   <SSN>{fn:data($x/SSN)}</SSN>
   {
   for $y in q:getORDERS()
   where $x/SSN eq $y/CUSTOMER_SSN
   return
      <ORDER_ID>{fn:data($y/ORDER_ID)}</ORDER_ID>
   }
</CUSTOMER>

Assuming that encryption-based data redaction has been configured for both the SSN field in CustomerDS and the CUSTOMER_SSN field in OrderDS, the query returns the following:

<CUSTOMER>
   <SSN>sjdlkggdlaklakskjfgk</SSN>
   <ORDER_ID>1000</ORDER_ID >
   <ORDER_ID>2000</ORDER_ID >
</CUSTOMER>

Notice that the outer join is performed as if encryption was not set. Note also that the value of the secured element in the result is encrypted.

Join Encrypted Field With Non-Encrypted Field

Assuming that encryption-based data redaction has been configured for the SSN field in data service CustomerDS but not on data service OrderDS, consider the following XQuery query that joins an encrypted field with a non-encrypted field:

for $x in p:getCUSTOMERS()
return
<CUSTOMER>
   <SSN>
      {fn:data($x/SSN)}
   </SSN>
   {
   for $y in q:getORDERS()
   where $x/SSN eq $y/CUSTOMER_SSN
   return
      <ORDER_ID>
         {fn:data($y/ORDER_ID)}
      </ORDER_ID>
   }
</CUSTOMER>

The query returns ().

Note that the outer join fails to return any results because the encrypted value of SSN does not match the non-encrypted value of CUSTOMER_SSN.

Group by an Encrypted Field

Consider the following SQL query that includes a group by clause:

SELECT CUSTOMER_SSN, COUNT(*y)
FROM ORDERS
GROUP BY CUSTOMER_SSN

Assuming that encryption-based data redaction has been configured for the CUSTOMER_SSN field in data service OrderDS and the getOrders() function has been mapped to the SQL table ORDERS, the SQL query returns the following:

(sjdlkggdlaklakskjfgk, 2)

Notice that the group by clause performs as if encryption was not set. Note also that the value of the secured column in the result is encrypted.

See Also

Concepts
How-Tos
Reference
Document generated by Confluence on Apr 28, 2008 16:19